// Validates that trying to create an encryption key with a setting of KeyDerivation enabled for a
// key type that does not support Convergent or key Derivation encryption throws an exception.
public void CreateEncryptionKey_ErrorsOnInvalidKeyTypeKeyDerivationSetting2(TransitEnumKeyType keyType)
{
string key = _uniqueKeys.GetKey();
Assert.That(() => _transitSecretEngine.CreateEncryptionKey(key, false, false, keyType, true),
Throws.Exception.TypeOf <ArgumentOutOfRangeException>().With.Property("ParamName").EqualTo("keyType"));
}
/// <summary>
/// Used as shortcut for commonly called code in test methods of Transit Type.
/// </summary>
/// <param name="keyType">Type of key to make</param>
/// <param name="keyDerivation">Boolean. True if you want a key that supports key derivation.</param>
/// <param name="convergentKey">Boolean. True if you want a key that supports convergent encryption.</param>
/// <returns>string value of the key name.</returns>
public async Task <string> Transit_InitWithKey(TransitEnumKeyType keyType = TransitEnumKeyType.aes256,
bool keyDerivation = false,
bool convergentKey = false)
{
string key = _uniqueKeys.GetKey("Key");
// Create key.
bool rc = await _transitSecretEngine.CreateEncryptionKey(key, true, true, keyType, keyDerivation, convergentKey);
Assert.True(rc);
return(key);
}
// ==============================================================================================================================================
/// <summary>
/// Creates an encryption key with the specified name. Since encryption key parameters cannot be changed after initial creation AND vault does not
/// return an error telling you a key already exists - it just returns Success, it is best to call the IfKeyExists function first to make sure the
/// key you want to create will be able to be created with the values you want.
/// </summary>
/// <param name="keyName">This is the actual name of the encryption key.</param>
/// <param name="canBeExported">Boolean: If you want to be able to export the key then set this to True.</param>
/// <param name="allowPlainTextBackup">Boolean. If you want to be able to perform a plain text backup of the key, set to True.</param>
/// <param name="keyType">The type of encryption key to use. Best choices are one of the RSA keys or the AES key.</param>
/// <param name="enableKeyDerivation">Enables Key Derivation. Key derivtion requires that an encryption context must be supplied with each encrypt operation.</param>
/// <param name="enableConvergentEncryption">Enables Convergent Encryption. Convergent encryption means that the same plaintext value will always result in the
/// same encrypted ciphertext.</param>
/// <returns>True if successful. However, it could also mean the key already exists, in which case the parameters you set here may not be what the key
/// is set to.</returns>
public async Task <bool> CreateEncryptionKey(string keyName,
bool canBeExported = false,
bool allowPlainTextBackup = false,
TransitEnumKeyType keyType = TransitEnumKeyType.aes256,
bool enableKeyDerivation = false,
bool enableConvergentEncryption = false)
{
// The keyname forms the last part of the path
string path = MountPointPath + PathKeys + keyName;
string keyTypeV;
switch (keyType)
{
case TransitEnumKeyType.aes256:
keyTypeV = "aes256-gcm96";
break;
case TransitEnumKeyType.chacha20:
keyTypeV = "chacha20-poly1305";
break;
case TransitEnumKeyType.ecdsa:
keyTypeV = "ecdsa-p256";
break;
case TransitEnumKeyType.ed25519:
keyTypeV = "ed25519";
break;
case TransitEnumKeyType.rsa2048:
keyTypeV = "rsa-2048";
break;
case TransitEnumKeyType.rsa4096:
keyTypeV = "rsa-4096";
break;
default:
keyTypeV = "unknown";
break;
}
Dictionary <string, string> createParams = new Dictionary <string, string>();
createParams.Add("exportable", canBeExported ? "true" : "false");
createParams.Add("allow_plaintext_backup", allowPlainTextBackup ? "true" : "false");
createParams.Add("type", keyTypeV);
// Convergent encryption requires KeyDerivation.
createParams.Add("convergent_encryption", enableConvergentEncryption ? "true" : "false");
if (enableConvergentEncryption)
{
enableKeyDerivation = true;
}
createParams.Add("derived", enableKeyDerivation ? "true" : "false");
// Validate:
if (enableKeyDerivation)
{
if ((keyType == TransitEnumKeyType.rsa2048) || (keyType == TransitEnumKeyType.rsa4096) || (keyType == TransitEnumKeyType.ecdsa))
{
throw new ArgumentOutOfRangeException("keyType", ("Specified keyType: " + keyTypeV + " does not support contextual encryption."));
}
}
return(await CreateEncryptionKey(keyName, createParams));
}
